The present invention relates to the field of wireless data communication systems. In particular the present invention discloses a method and apparatus for caching credentials in proxy servers used by wireless client devices when accessing protected resources.
To enable commercial transactions on the global Internet, the parties communicating with each other must be able to authenticate each other. Specifically, each party in a transaction must be certain that the person at the other end of the transaction is who that party claims to be. One method of authenticating a client system that is attempting to connect to a server system is to require that the client system provide a credential. A credential is the authentication information used to authenticate a user who wants to access a protected resource such as a server.
A typical credential is a userid (user identifier) and password pair. Another common credential is a derived form of the userid and password pair such as a base-64 encoded userid and password pair. For example, in the Internet environment, a base-64 encoded userid and password pair credential is widely used by World Wide Web servers to authenticate client users before access to the desired server is allowed. Each World Wide Web server communicates with the well-known HTTP protocol [RFC2068] and provides varieties of resources such as HTML documents. Each resource is identified by URI or URL[RFC2068].
To protect a group of Internet resources from unauthorized access, those resources are grouped into xe2x80x9crealmsxe2x80x9d. Each realm consists of a set of Internet resources that define a protected space. When a user wants to access any resource within a particular realm, the user must provide a credential that authenticates the user as an entity that is authorized to access resources within the realm.
HTTP protocol defines a standardized manner for a user agent to submit a credential to an Internet server known as Basic Authentication. Basic Authentication is defined in the IETF""s RFC 2068. In the basic authentication system, a user agent, also known as the web client or the web browser, first accesses a protected resource as identified by the URL without providing any credentials within the initial request. The Internet server denies access and sends back a status code 401 along with an HTTP header xe2x80x9cWWW-Authenticate:xe2x80x9d that requests a credential to access the protected realm. The response with the xe2x80x9cWWW-Authenticate:xe2x80x9d header comprises a challenge response that includes a text string identifying the realm the user agent is attempting to access.
The user agent (the web client or web browser) may then prompt the user to enter the credential information (a userid and password). After receiving credential information, the user agent then resubmits the denied request along with the required credential information in an HTTP header xe2x80x9cAuthorization:xe2x80x9d field. If the credential authenticates the user as an entity that is allowed to access resources within the realm, then the Internet server grants access to the protected resources within the realm. The user agent (the web client or web browser) may cache the credential so that user agent will automatically attach the credential in any subsequent requests to any other resources within the same realm without the need for user intervention.
In a wireless environment, the user agent (a thin client or a micro browser) exists on a wireless client device such as a cellular phone or a personal digital assistant (PDA) with wireless communication capabilities. In such an environment, the user agent has the limited processing power and limited memory. Furthermore, the amount of communication bandwidth is low and the cost of the communication bandwidth is high. Since the basic authentication systems defined in RFC2068 requires the credentials to be continually passed with each request, the basic authentication system is not efficient for a wireless environment wherein the wireless client devices have limited processing power and limited memory and the wireless infrastructure has limited data communication bandwidth.
The present invention introduces a proxy server that handles credential caching for a set of wireless client devices that wish to access protected resources on a second network where the protected resources require credentials. In one embodiment, the proxy server intercepts and caches a wireless client""s credentials when a credential is first sent from the wireless user agent to a protected server on the Internet. To intercept the credential, the proxy server locates the credential in the headers of messages from wireless client devices wherein the examined credential headers are equivalent to the HTTP xe2x80x9cAuthorization:xe2x80x9d header. Once a credential for a particular realm is found, the proxy server caches it in the memory (short term or long term) of the proxy server. The cached credential will then be used for all requests to resources within the same realm. Thus, after first sending a first credential for accessing the resource in a particular realm, the wireless user agent does not need to attach the credential for all the subsequent requests for any other resources belong to the same realm.
In an alternate embodiment, when the proxy server needs a credential (perhaps due to a refused request), the proxy server sends a special request to the wireless client device requesting a credential for a particular resource. The special request may take the form of a simple preformatted display page such that a xe2x80x9cdumb terminalxe2x80x9d wireless client device can be used to communicate with protected Internet resources even though the xe2x80x9cdumbxe2x80x9d wireless client device has no concept of authentication and authorization.
The teachings of the present invention provide several advantages. One of the most important advantages of the present invention is that the present invention reduces the number of bits and bytes that must be transmitted over the low bandwidth and expensive wireless communication infrastructure since a credential does not need to be sent for every request into a protected realm. Furthermore, the present invention reduces the amount of memory used within each wireless client device since the wireless user agent does not have to implement the mechanism for saving the credentials nor does the wireless client device need to reserve memory to store the credentials. The present invention also relieves the wireless client device user from entering the credentials over and over again for accessing protected resources that belong to the same protected realm.